India Compliance Guide for Foreign Companies & GCCs (2026)

India is the world’s most active destination for Global Capability Centers, and 2026 is the year the rules underneath that boom changed more than they have in a generation. A new Income Tax Act, four labour codes finally in force, and the country’s first real data-protection regime all landed within months of each other.

For a foreign company setting up a GCC, a subsidiary, or even hiring a single engineer in India, compliance is no longer a back-office afterthought. It is the difference between a clean market entry and a stalled one. This guide maps everything a foreign company must comply with in India in 2026, in plain language, and points you to deeper resources on each topic.

What changed in 2026? Read this first

• Income Tax Act, 2025 replaced the 64-year-old 1961 law from 1 April 2026.
• Four Labour Codes came into force from 21 November 2025, with central rules finalised in May 2026.
• DPDP Rules, 2025 operationalised India’s data-protection law, with the heaviest obligations phasing in by 2027.

If your compliance playbook predates these changes, it is out of date.

Why compliance is the real barrier to entry in India

The talent, the cost arbitrage, and the time-zone advantage that draw foreign companies to India are well understood. What surprises most leadership teams is how much of a successful India entry is actually a compliance exercise rather than a commercial one.

India operates a layered regulatory system: central laws, state-level rules, sector-specific regulators (RBI, SEBI, MeitY), and a tax framework that distinguishes sharply between a foreign company doing business with India and one doing business in India. Get the structure wrong and you can trigger tax liability, penalties, or a frozen entity before you have hired your first employee.

The good news is that the obligations are knowable and manageable. They fall into five buckets: corporate, tax, permanent-establishment, employment, and data. The rest of this guide walks through each.

1. Corporate and entity compliance

Before anything else, a foreign company needs a lawful presence to operate in India. The most common vehicle for a GCC is a wholly-owned subsidiary (a private limited company under the Companies Act, 2013), though liaison, branch, and project offices exist for narrower purposes.

Core obligations once incorporated include:

• Registration with the MCA / ROC: company incorporation, director identification, and registered office.
• FEMA and RBI reporting: foreign direct investment into the subsidiary must be reported (FC-GPR and related filings) within prescribed timelines.
• Annual ROC filings: financial statements and annual returns, plus board and statutory meeting requirements.
• Statutory registrations: PAN, TAN, GST, and the various labour and social-security registrations covered below.

If you are still deciding how to enter, two reads will save you weeks: our breakdown of foreign company registration in India and our comparison of a wholly-owned subsidiary vs a captive center in India. For a step-by-step setup view, see our GCC setup in India executive guide.

2. Permanent establishment (PE) risk: the most expensive mistake

This is the single most under-appreciated compliance risk for foreign companies, and the one that catches the most teams off guard.

A permanent establishment is created when a foreign company’s activity in India is substantial enough that Indian tax authorities can tax a portion of the company’s global profits attributable to India. You do not need an incorporated entity to trigger it. Employees signing contracts, a fixed place of business, or a dependent agent can each be enough.

For companies that “just hire a few people in India” without the right structure, PE exposure is a real and recurring danger. The tax, interest, and penalty consequences of an unintended PE can dwarf the cost of setting up correctly in the first place.

Because this is so consequential, we cover it in depth separately: read Permanent Establishment (PE) risk explained for foreign companies before you finalise any India hiring or contracting model.

3. Tax compliance under the new Income Tax Act, 2025

From 1 April 2026, India’s direct-tax framework runs on the Income Tax Act, 2025, which replaced the Income-tax Act, 1961. For most companies, the headline reassurance is that tax rates and slabs are unchanged. This was a structural rewrite, not a rate hike.

The Act consolidates and renumbers provisions into a cleaner 536-section, 23-chapter format and replaces the old “previous year / assessment year” language with a single “Tax Year” concept.

What foreign companies and GCCs actually need to comply with:

• Corporate income tax on the Indian entity’s profits, including the arm’s-length pricing of intra-group services.
• Transfer pricing: because a GCC typically provides services to its parent, the pricing of those services must meet arm’s-length standards and be documented. This is a perennial audit focus for captive centers.
• TDS (withholding tax) on salaries, vendor payments, and cross-border remittances.
• Filing under the new section numbers and forms: practitioners must transition references and procedures to the 2025 Act and the updated rules.

One transition nuance worth flagging: returns for FY 2025-26 are still governed by the old 1961 Act, while income earned from FY 2026-27 falls under the new law. Getting that handoff right matters.

For a GCC-specific view of what the new law changes, see the India Income Tax Act’s impact on GCCs.

4. Employment and labour-law compliance: the 2026 labour codes

This is where 2026 brings the most operational change. India consolidated 29 central labour laws into four Labour Codes: the Code on Wages, the Code on Social Security, the Industrial Relations Code, and the Occupational Safety, Health and Working Conditions Code.

They became effective on 21 November 2025, with the final central rules notified in May 2026. Because labour is a shared central-and-state subject, the precise rules still vary by state and continue to roll out. The exact obligations therefore depend on where you hire.

Regardless of the transition, every employer in India must stay current on:

• Payroll and wages: the codes change how “wages” is defined, which affects basic-pay ratios, provident-fund contributions, and gratuity.
• Statutory social security: Provident Fund (EPF), Employees’ State Insurance (ESI), and gratuity registrations and contributions.
• Working hours, leave, and overtime rules under the OSH code.
• Employment contracts and policies aligned to the new definitions.
• State-specific registrations: shops-and-establishments and professional tax differ by state.

Payroll and statutory compliance is unforgiving in India. Late or incorrect filings attract penalties and can jeopardise an entity’s standing.

5. Data protection compliance (DPDP)

India now has a comprehensive data-protection law. The Digital Personal Data Protection Rules, 2025 were notified on 13 November 2025, giving effect to the DPDP Act, 2023.

The law applies not only to processing inside India but also extraterritorially to entities offering goods or services to people in India. Foreign companies with Indian users or operations are therefore squarely in scope.

Key points for GCCs and foreign companies:

• Consent-led processing: clear notice and consent for collecting personal data, with the right to withdraw.
• Breach notification and data-erasure obligations once a purpose is fulfilled.
• Significant Data Fiduciary (SDF) designation for high-volume or high-sensitivity processors, which triggers annual data-protection impact assessments and audits.
• Phased timelines: the Data Protection Board stood up immediately on notification, while the heaviest substantive obligations phase in through 2027.

Penalties are steep, up to ₹250 crore for serious security failures, making early privacy-by-design investment the prudent path.

The decision that drives all of the above: entity vs EOR

Every compliance obligation in this guide is shaped by one upstream choice: how you employ people in India.

• Own entity (subsidiary): full control and the right vehicle for a scaled GCC, but it carries the complete corporate, tax, payroll, and statutory burden from day one.
• Employer of Record (EOR): a compliant way to hire in India without setting up an entity, where the EOR is the legal employer and carries payroll and statutory compliance. Ideal for testing the market, hiring quickly, or bridging the gap while an entity is being incorporated.

The most dangerous middle path is hiring Indian staff with no entity and no EOR. Paying contractors directly or running an informal arrangement is precisely what creates PE exposure, misclassification risk, and statutory gaps.

If speed and compliance both matter, an EOR is usually the right first step.

Your 2026 India compliance checklist

1. Choose your entry model: EOR for speed, subsidiary for scale, or BOT to phase the transition.
2. Assess PE risk before you hire or contract anyone in India.
3. Complete corporate registrations: MCA/ROC, PAN, TAN, GST, FEMA reporting.
4. Stand up payroll and statutory compliance: EPF, ESI, gratuity, professional tax, aligned to the labour codes.
5. Map your tax obligations under the Income Tax Act, 2025, including transfer pricing for intra-group services.
6. Build a DPDP compliance plan: consent flows, security safeguards, and breach processes.
7. Track state-level variation: labour-code rules and registrations differ by state.

How SansoviGCC keeps your India entry compliant

SansoviGCC helps foreign companies enter India the right way: fast and fully compliant. We handle entity setup, employer-of-record hiring, payroll and statutory compliance, and GCC build-out, so your team can focus on the work rather than the regulations.

Whether you need to hire one person this month or build a 200-person capability center over the next year, we structure your entry to keep PE risk, tax, labour, and data obligations covered from day one.

Talk to SansoviGCC’s India-entry team

This guide is for general information and reflects the regulatory position in 2026. It is not legal or tax advice. India’s labour-code rules and DPDP obligations are still rolling out and vary by state and sector. Confirm specifics for your situation with qualified advisors.